HIPAA Privacy Rules: Protection of Health and Mental Health Information
(45 CFR Parts 160 and 164)
The information provided below is a summary and intended for general information purposes. Information on HIPAA is also found in our Consumer’s Rights Handbook, which can be found at the front desk. You can request a copy of this notice and/or the Consumer’s Right’s Handbook upon request.
The HIPAA Privacy Rule (45 CFR Parts 160 and 164- (164.524; 164.528; 164.508; 164.512a) provides the first comprehensive Federal Protection for the privacy of health and mental health information. The rule is intended to provide strong legal protections to ensure the privacy of the individual health information and mental health information, without interfering with the patients access to treatment, health care operations, or quality of care. The Privacy Rule applies to ‘covered entities’ which generally includes health plans and health care providers who transmit health information in electronic form. Covered entities include almost all health and mental care providers, whether they are outpatient, residential or inpatient providers, as well as other persons or organizations that bill or are paid for health care.
” Minimum Necessary” Rule:
A covered entity must make responsible efforts to use, request, or disclose to others only the minimum amount of Protected Health Information (or PHI) which is needed to accomplish the intended purpose of use, request or disclosure. When the minimum necessary standard applies, a covered entity may not use, disclose, or request a person’s entire medical record unless it can be specifically justified that the entire record is reasonably needed. The minimum necessary standard does not apply under the following circumstances:
a. Disclosure to a healthcare provider for treatment;
b. Disclosure to an individual (or personal representative) who is the subject of the information;
c. Use or disclose made pursuant to an Authorization by the person (or personal representative);
d. Use or disclosure that is required by law; or
e. Disclosure to Health and Human Services (or HHS) for investigation, compliance
Basic Principles of the Privacy Rule:
1. The Privacy Rule protects all ‘protected health information (PHI),’ including individuality identifiable health or mental health information held or transmitted by a covered entity in any format, including electronic, paper, or oral statements.
a. A major purpose of the Privacy Rule is to define and limit the circumstances under which individual’s PHI may be used or disclosed by covered entities. Generally, a covered entity may not use or disclose PHI to others, except: as the Privacy Rule permits or requires or as authorized by the person (or personal representative) who is the subject of the health information. A HIPAA-compliant Authorization must contain specific information required by the Privacy Rules.
2. A covered entity must provide individuals (or their personal representatives) with access to their own PHI (unless there are permitted grounds for denial) and must provide an accounting of the disclosures of their PHI to others upon their request.
3. The Privacy Rules supersedes State law, but State laws provide greater privacy protections under which give individuals greater access to their own PHI remain in effect.
Permitted Uses or Disclosures of PHI Without Authorization
1. A covered entity may disclose PHI to the individual who is the subject of the information.
2. A covered entity may use and disclose protected health information for its own ‘treatment, payment and health care operations.’
a. Treatment is the provision, coordination, or management of healthcare and related services for an individual, including consultation between providers and referral of an individual to another provider for health care.
b. Payment includes activities of a health care provider to obtain payment or receive reimbursement of the provision of health care to an individual.
c. Health care operations include functions such as: (a) quality assessment and improvement; (b) competency assessment, including performance evaluation, credentialing, and accreditation; (c) medical reviews, audits, or legal services; (d) specified insurance functions; and (e) business planning, management, and general administration.
3. Permission may be obtained from the individual who is the subject of the information or by circumstances that clearly indicate an individual with the mental capacity can object to the disclosure but does not express an objection. Providers may also rely an individual’s informal permission to disclose health information to an individual’s family, relatives, close personal friends or to other persons identified by the individual, limited to the information directly related to such person’s involvement.
4. When an individual is incapacitated or in an emergency, providers sometimes may use or disclose PHI, without authorization, when it is in the best interests of the individual. Such as determined by health care providers in the exercise of clinical judgment. The PHI that may be disclosed under this provision includes the patients name, location in a health care providers facility, and limited and general information regarding the person’s condition.
5. Providers may use or disclose PHI without a person’s authorization when the disclosure of PHI is required by law, including State statute or court order.
6. Providers generally may disclose to State and Federal public health authorities to prevent or control, injury, or disability, and to government authorities authorized to receive reports on child abuse and neglect.
7. Providers may disclose PHI to appropriate government authorities in limited circumstances regarding victims of abuse, neglect, or domestic violence.
8. Providers may disclose PHI to health oversight agencies, (e.g.., the government agency which licenses a provider), for legally authorized health oversight activities, such as audits and investigations.
9. PHI may be disclosed in a judicial or administrative proceeding if the request is pursuant of court order, subpoena, or other lawful process (Note: the ‘more stringent’ NYS Mental Hygiene Law requires a court order for the disclosure of mental health information in these circumstances).
10. Providers may generally disclose PHI to law enforcement when:
a. Required by law, or pursuant to a court order, subpoena, or an “administrative request,’ such as a subpoena or summons (Note: the ‘more stringent’ NYS Mental Hygiene Law Section 33.13 requires court order for the disclosure of MHI in these circumstances).
b. In response to a law enforcement request for information about a victim of a crime (Note: under Mental Hygiene Law Section 33.13 this information is limited to “identifying data concerning hospitalization.”
c. To alert law enforcement about criminal conduct on the premises of a HIPAA covered entity.
d. Providers may disclose PHI that they believe necessary to prevent or lessen a serious and imminent physical threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat).
e. Programs involved in the sharing of information is required or expressly authorized by statute or regulation, or other limited circumstances.
Complaints to: Office for Civil Rights Department of Health and Human Services, Atlanta Federal Center, Suite 3B70 61 Forsyth Street, S.W. Atlanta, GA 30303-8909. Web site at: https://www.hhs.gov/hipaa/filing-a-complaint/index.html?language=es
I HAVE READ AND UNDERSTAND MY RIGHTS UNDER THE HIPAA GUIDELINES.